chore(release): 0.3.0 [skip ci]

# [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12) ### Features * **ci:** Selective tests ([d2e7ac9](d2e7ac9348))
feat(ci): Selective tests
2025-12-06 07:21:36 +01:00 · 2023-09-12 21:18:26 +00:00 · 2023-09-12 21:16:33 +00:00 · 2023-09-06 17:12:09 +00:00 · 2023-09-06 19:09:59 +02:00 · 2023-09-06 07:53:01 +00:00
36 changed files with 213 additions and 78 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -129,8 +129,9 @@ variables:
    options:
      - "yes"
      - "no"
-  TESTS_PROJECT_URL:
-    description: "URL of the E2E-test Gitlab project API with project ID."
+  TESTS_BRANCH:
+    description: "Branch of E2E-tests on which the test pipeline is triggered"
+    value: "main"
  # please use the following set of variables with normalized names:
  DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
  ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
@@ -408,51 +409,50 @@ run-tests:
      when: "always"
  script:
    - |
-      COMPONENTS="login or portal or profile or navigation"
-      if [ "${DEPLOY_ALL_COMPONENTS}" != "no" ]; then
-        COMPONENTS="${COMPONENTS} or collabora or ics or jitsi or keycloak or nextcloud or openproject or ox or ucs \
-          or xwiki"
-      else
-        [ "${DEPLOY_COLLABORA}" != "no" ] && COMPONENTS="${COMPONENTS} or collabora"
-        [ "${DEPLOY_ICS}" != "no" ] && COMPONENTS="${COMPONENTS} or ics"
-        [ "${DEPLOY_JITSI}" != "no" ] && COMPONENTS="${COMPONENTS} or jitsi"
-        [ "${DEPLOY_KEYCLOAK}" != "no" ] && COMPONENTS="${COMPONENTS} or keycloak"
-        [ "${DEPLOY_NEXTCLOUD}" != "no" ] && COMPONENTS="${COMPONENTS} or nextcloud"
-        [ "${DEPLOY_OPENPROJECT}" != "no" ] && COMPONENTS="${COMPONENTS} or openproject"
-        [ "${DEPLOY_OX}" != "no" ] && COMPONENTS="${COMPONENTS} or ox"
-        [ "${DEPLOY_UCS}" != "no" ] && COMPONENTS="${COMPONENTS} or ucs"
-        [ "${DEPLOY_XWIKI}" != "no" ] && COMPONENTS="${COMPONENTS} or xwiki"
-      fi
-
-      echo "Gathering passwords from UCS container ..."
      UCS_CONTAINER_NAME=$( \
-        kubectl -n ${NAMESPACE} get pods --no-headers \
-        --selector 'app.kubernetes.io/instance=univention-corporate-container' \
-       | awk '{print $1}' \
+        kubectl -n ${NAMESPACE} get pods --no-headers --selector \
+          'app.kubernetes.io/instance=univention-corporate-container' \
+        | grep Running \
+        | awk '{print $1}' \
      )
-      echo "UCS_CONTAINER_NAME: ${UCS_CONTAINER_NAME}"
      DEFAULT_USER_PASSWORD=$( \
        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
        | grep DEFAULT_ACCOUNT_USER_PASSWORD \
        | awk '{print $2}' \
      )
-      DEFAULT_ADMIN_PASSWORD=$( \
+      DEFAULT_ADMIN_PASSWORD=$(
        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
        | grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
        | awk '{print $2}' \
      )

-      echo "triggering test pipeline ..."
-      curl -X POST \
-        -F "ref=main" \
-        -F "token=${CI_JOB_TOKEN}" \
-        -F "variables[url]=https://portal.${DOMAIN}" \
-        -F "variables[user_name]=${DEFAULT_USER_NAME}" \
-        -F "variables[user_password]=${DEFAULT_USER_PASSWORD}" \
-        -F "variables[admin_name]=${DEFAULT_ADMIN_NAME}" \
-        -F "variables[admin_password]=${DEFAULT_ADMIN_PASSWORD}" \
-        -F "variables[components]=\"${COMPONENTS}\"" \
-        https://${TESTS_PROJECT_URL}/trigger/pipeline
+      curl --request POST \
+      --header "Content-Type: application/json" \
+      --data "{ \
+        \"ref\": \"${TESTS_BRANCH}\", \
+        \"token\": \"${CI_JOB_TOKEN}\", \
+        \"variables\": { \
+          \"url\": \"https://portal.${DOMAIN}\", \
+          \"user_name\": \"${DEFAULT_USER_NAME}\", \
+          \"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
+          \"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
+          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
+          \"DEPLOY_ALL_COMPONENTS\": \"${DEPLOY_ALL_COMPONENTS}\", \
+          \"DEPLOY_COLLABORA\": \"${DEPLOY_COLLABORA}\", \
+          \"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
+          \"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
+          \"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
+          \"DEPLOY_KEYCLOAK\": \"${DEPLOY_KEYCLOAK}\", \
+          \"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
+          \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
+          \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
+          \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
+          \"DEPLOY_UCS\": \"${DEPLOY_UCS}\", \
+          \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
+          \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
+        } \
+      }" \
+      "https://${TESTS_PROJECT_URL}/trigger/pipeline"

 generate-release-assets:
  stage: "generate-release-assets"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,39 @@
+# [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12)
+
+
+### Features
+
+* **ci:** Selective tests ([d2e7ac9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d2e7ac93481249e9eb7e5e1a41a6c6e333abe2dc))
+
+## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
+
+
+### Bug Fixes
+
+* **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
+* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
+* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
+* **jitsi:** Update jitsi to 1.5.1 and fix prosody image ([ed7e5e4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ed7e5e428e5d9213a92f97dc03d72fa3e04334c2))
+* **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
+* **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
+* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
+* **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
+* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
+
+## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
+
+
+### Bug Fixes
+
+* **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
+* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
+* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
+* **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
+* **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
+* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
+* **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
+* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
+
 ## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)


--- a/README.md
+++ b/README.md
@@ -311,15 +311,25 @@ actual scalability of the components (see column `Scaling (verified)`).
 This list gives you an overview of default security settings and if they comply with security standards:


-| Component  | Process    | allowPrivilegeEscalation (`false`)  |                       capabilities (`drop: ALL`)                       | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
-|------------|------------|:-----------------------------------:|:----------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
-| ClamAV     | clamd      |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|            | freshclam  |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|            | icap       |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|            | milter     |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-| MariaDB    | mariadb    |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
-| Postfix    | postfix    |         :white_check_mark:          | :x: (`DAC_OVERRIDE`, `FOWNER`, `SETUID`, `SETGID`, `NET_BIND_SERVICE`) |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
-| PostgreSQL | postgresql |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Component  | Process                  |         =          | allowPrivilegeEscalation (`false`) |                                   capabilities (`drop: ALL`)                                   | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
+|------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
+| ClamAV     | clamd                    | :white_check_mark: |         :white_check_mark:         |                                       :white_check_mark:                                       |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | freshclam                | :white_check_mark: |         :white_check_mark:         |                                       :white_check_mark:                                       |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | icap                     | :white_check_mark: |         :white_check_mark:         |                                       :white_check_mark:                                       |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | milter                   | :white_check_mark: |         :white_check_mark:         |                                       :white_check_mark:                                       |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+| Jitsi      | jibri                    |        :x:         |         :white_check_mark:         |                                       :x: (`SYS_ADMIN`)                                        |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | jicofo                   |        :x:         |         :white_check_mark:         |                                       :white_check_mark:                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | jitsiKeycloakAdapter     | :white_check_mark: |         :white_check_mark:         |                                       :white_check_mark:                                       |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
+|            | jvb                      |        :x:         |         :white_check_mark:         |                                       :white_check_mark:                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | prosody                  |        :x:         |         :white_check_mark:         |                                       :white_check_mark:                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | web                      |        :x:         |         :white_check_mark:         |                                       :white_check_mark:                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| Keycloak   | keycloak                 |        :x:         |         :white_check_mark:         |                                       :white_check_mark:                                       |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|            | keycloakConfigCli        | :white_check_mark: |         :white_check_mark:         |                                       :white_check_mark:                                       |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|            | keycloakExtensionHandler | :white_check_mark: |         :white_check_mark:         |                                       :white_check_mark:                                       |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|            | keycloakExtensionProxy   | :white_check_mark: |         :white_check_mark:         |                                       :white_check_mark:                                       |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+| MariaDB    | mariadb                  | :white_check_mark: |         :white_check_mark:         |                                       :white_check_mark:                                       |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Postfix    | postfix                  |        :x:         |         :white_check_mark:         | :x: (`DAC_OVERRIDE`, `FOWNER`, `SETUID`, `SETGID`, `NET_BIND_SERVICE`, `NET_ADMIN`, `NET_RAW`) |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+| PostgreSQL | postgresql               | :white_check_mark: |         :white_check_mark:         |                                       :white_check_mark:                                       |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |


 # Component integration
@@ -450,17 +460,14 @@ components we are going to cover various aspects:

 ## Tests

-There is a frontend end-to-end test suite that can get triggered if the
-deployment is performed via a Gitlab pipeline.
+The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
+The `DEPLOY_`-variables are used to determine which components should be tested.
+In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
+that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
+`<domain of gitlab>/api/v4/projects/<id>`.

-Currently, the test suite is in progress to be published, so right now it is
-only usable by project members. But that will change soon, and it could be used
-to create custom tests and perform them after deployment.
-
-The deployment pipeline provides a variable named `TESTS_PROJECT_URL` that
-points to the test pipeline residing in another Gitlab repository. At the end of
-the deployment the test pipeline is triggered. Tests are just performed for
-components that have been deployed prior.
+If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
+`TESTS_BRANCH` while creating a new pipeline.


 # Footnotes
--- a/helmfile/apps/collabora/values.gotmpl
+++ b/helmfile/apps/collabora/values.gotmpl
@@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
  tag: "{{ .Values.images.collabora.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"

 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
--- a/helmfile/apps/element/values-element.gotmpl
+++ b/helmfile/apps/element/values-element.gotmpl
@@ -16,6 +16,7 @@ configuration:
    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"

 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.element.repository }}"
  tag: "{{ .Values.images.element.tag }}"
--- a/helmfile/apps/element/values-synapse-web.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.gotmpl
@@ -12,6 +12,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.synapseWeb.repository }}"
  tag: "{{ .Values.images.synapseWeb.tag }}"
--- a/helmfile/apps/element/values-synapse.gotmpl
+++ b/helmfile/apps/element/values-synapse.gotmpl
@@ -12,6 +12,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.synapse.repository }}"
  tag: "{{ .Values.images.synapse.tag }}"
--- a/helmfile/apps/element/values-well-known.gotmpl
+++ b/helmfile/apps/element/values-well-known.gotmpl
@@ -12,6 +12,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.wellKnown.repository }}"
  tag: "{{ .Values.images.wellKnown.tag }}"
--- a/helmfile/apps/intercom-service/values.gotmpl
+++ b/helmfile/apps/intercom-service/values.gotmpl
@@ -29,6 +29,7 @@ ics:
    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"

 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.intercom.repository }}"
  tag: "{{ .Values.images.intercom.tag }}"
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -10,7 +10,7 @@ repositories:
 releases:
  - name: "jitsi"
    chart: "jitsi-repo/sovereign-workplace-jitsi"
-    version: "1.4.1"
+    version: "1.5.1"
    values:
      - "values-jitsi.gotmpl"
    condition: "jitsi.enabled"
--- a/helmfile/apps/jitsi/values-jitsi.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.gotmpl
@@ -12,6 +12,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}"
  tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
@@ -118,6 +119,7 @@ patchJVB:
    staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
    loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
  image:
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
    tag: "{{ .Values.images.jitsiPatchJVB.tag }}"
--- a/helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl
+++ b/helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl
@@ -19,6 +19,7 @@ image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.keycloakBootstrap.repository }}"
  tag: "{{ .Values.images.keycloakBootstrap.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"

 resources:
  {{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}
--- a/helmfile/apps/keycloak/values-extensions.gotmpl
+++ b/helmfile/apps/keycloak/values-extensions.gotmpl
@@ -23,7 +23,7 @@ handler:
 {{- else if .Values.images.keycloakExtensionHandler.tag }}
    tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
 {{- end }}
-    imagePullPolicy: "Always"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  appConfig:
    smtpPassword: "{{ .Values.smtp.password }}"
    smtpHost: "{{ .Values.smtp.host }}"
@@ -40,13 +40,10 @@ proxy:
 {{- else if .Values.images.keycloakExtensionProxy.tag }}
    tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
 {{- end }}
-    imagePullPolicy: "Always"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  ingress:
    enabled: "{{ .Values.ingress.enabled }}"
    ingressClassName: "{{ .Values.ingress.ingressClassName }}"
-    annotations:
-      nginx.org/proxy-buffer-size: "8k"
-      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    tls:
      enabled: "{{ .Values.ingress.tls.enabled }}"
--- a/helmfile/apps/keycloak/values-extensions.yaml
+++ b/helmfile/apps/keycloak/values-extensions.yaml
@@ -11,11 +11,35 @@ global:
 handler:
  appConfig:
    captchaProtectionEnable: "False"
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true

 postgresql:
  enabled: false

 proxy:
-  image:
-    tag: "latest"
+  ingress:
+    annotations:
+      nginx.org/proxy-buffer-size: "8k"
+      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
 ...
--- a/helmfile/apps/keycloak/values-keycloak.gotmpl
+++ b/helmfile/apps/keycloak/values-keycloak.gotmpl
@@ -14,6 +14,7 @@ image:
  repository: "{{ .Values.images.keycloak.repository }}"
  tag: "{{ .Values.images.keycloak.tag }}"
  digest: "{{ .Values.images.keycloak.digest }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"

 externalDatabase:
  host: "{{ .Values.databases.keycloak.host }}"
@@ -81,6 +82,8 @@ keycloakConfigCli:
      value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
    - name: "LDAPSEARCH_USERNAME"
      value: "ldapsearch_keycloak"
+  resources:
+    {{ .Values.resources.keycloak | toYaml | nindent 4 }}

 resources:
  {{ .Values.resources.keycloak | toYaml | nindent 2 }}
--- a/helmfile/apps/keycloak/values-keycloak.yaml
+++ b/helmfile/apps/keycloak/values-keycloak.yaml
@@ -54,5 +54,32 @@ keycloakConfigCli:
    - "--import.var-substitution.enabled=true"
  cache:
    enabled: false
+  containerSecurityContext:
+    enabled: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    runAsNonRoot: true

+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 1001
+  runAsGroup: 1001
+  runAsNonRoot: true
+
+podSecurityContext:
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
 ...
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -4,11 +4,11 @@
 repositories:
  - name: "opendesk-nextcloud-bootstrap-repo"
    oci: true
+    # yamllint disable rule:line-length
    url: >-
-      # yamllint disable rule:line-length
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
-      # yamllint enable rule:line-length
+    # yamllint enable rule:line-length
  - name: "nextcloud-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
--- a/helmfile/apps/nextcloud/values-bootstrap.gotmpl
+++ b/helmfile/apps/nextcloud/values-bootstrap.gotmpl
@@ -44,6 +44,7 @@ config:
    password: "{{ .Values.smtp.password }}"

 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.nextcloud.repository }}"
  tag: "{{ .Values.images.nextcloud.tag }}"
--- a/helmfile/apps/nextcloud/values-nextcloud.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.gotmpl
@@ -25,7 +25,7 @@ ingress:
        - "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 image:
  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.nextcloud.tag }}"
  pullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
--- a/helmfile/apps/open-xchange/values-dovecot.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.gotmpl
@@ -7,6 +7,7 @@ image:
  registry: "{{ .Values.global.imageRegistry }}"
  url: "{{ .Values.images.dovecot.repository }}"
  digest: "{{ .Values.images.dovecot.digest }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"

 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
@@ -7,6 +7,7 @@ image:
  registry: "{{ .Values.global.imageRegistry }}"
  url: "{{ .Values.images.openxchangeBootstrap.repository }}"
  digest: "{{ .Values.images.openxchangeBootstrap.digest }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"

 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
--- a/helmfile/apps/open-xchange/values-openxchange.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.gotmpl
@@ -34,6 +34,7 @@ public-sector-ui:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
  {{- end }}
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"

 appsuite:
  istio:
@@ -96,6 +97,7 @@ appsuite:
    image:
      repository: {{ .Values.images.openxchangeCoreMW.repository }}
      tag: {{ .Values.images.openxchangeCoreMW.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
    update:
      image:
        repository: {{ .Values.images.openxchangeCoreMW.repository }}
@@ -113,6 +115,7 @@ appsuite:
    image:
      repository: {{ .Values.images.openxchangeCoreUI.repository }}
      tag: {{ .Values.images.openxchangeCoreUI.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"

  core-ui-middleware:
    ingress:
@@ -126,6 +129,7 @@ appsuite:
    image:
      repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
      tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"

  core-guidedtours:
    imagePullSecrets:
@@ -135,6 +139,7 @@ appsuite:
    image:
      repository: {{ .Values.images.openxchangeCoreGuidedtours.repository }}
      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"

  guard-ui:
    imagePullSecrets:
@@ -144,11 +149,13 @@ appsuite:
    image:
      repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}
      tag: {{ .Values.images.openxchangeGuardUI.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"

  core-user-guide:
    image:
      repository: {{ .Values.images.openxchangeCoreUserGuide.repository }}
      tag: {{ .Values.images.openxchangeCoreUserGuide.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . }}
--- a/helmfile/apps/openproject/values.gotmpl
+++ b/helmfile/apps/openproject/values.gotmpl
@@ -10,7 +10,7 @@ global:
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.openproject.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.openproject.tag }}"

 memcached:
--- a/helmfile/apps/provisioning/values-oxconnector.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.gotmpl
@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.oxConnector.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.oxConnector.tag }}"

 imagePullSecrets:
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -10,12 +10,12 @@ repositories:
    oci: true
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
  - name: "mariadb-repo"
    oci: true
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
  - name: "postfix-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -65,7 +65,7 @@ releases:
    condition: "mariadb.enabled"
  - name: "postfix"
    chart: "postfix-repo/postfix"
-    version: "2.0.0"
+    version: "2.0.1"
    values:
      - "values-postfix.yaml"
      - "values-postfix.gotmpl"
@@ -86,6 +86,7 @@ releases:
    chart: "istio-resources-repo/istio-gateway"
    version: "1.1.2"
    values:
+      - "values-istio-gateway.yaml"
      - "values-istio-gateway.gotmpl"
    condition: "istio.enabled"

--- a/helmfile/apps/services/values-clamav-distributed.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.gotmpl
@@ -10,6 +10,7 @@ clamd:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.clamd.repository }}"
    tag: "{{ .Values.images.clamd.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  resources:
    {{ .Values.resources.clamd | toYaml | nindent 4 }}

@@ -20,6 +21,7 @@ freshclam:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.freshclam.repository }}"
    tag: "{{ .Values.images.freshclam.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  resources:
    {{ .Values.resources.freshclam | toYaml | nindent 4 }}

@@ -33,6 +35,7 @@ icap:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.icap.repository }}"
    tag: "{{ .Values.images.icap.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  resources:
    {{ .Values.resources.icap | toYaml | nindent 4 }}

@@ -43,6 +46,7 @@ milter:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.milter.repository }}"
    tag: "{{ .Values.images.milter.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  resources:
    {{ .Values.resources.milter | toYaml | nindent 4 }}

--- a/helmfile/apps/services/values-clamav-simple.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.gotmpl
@@ -10,10 +10,12 @@ image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.clamd.repository }}"
    tag: "{{ .Values.images.clamd.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  icap:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.icap.repository }}"
    tag: "{{ .Values.images.icap.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"

 resources:
  {{ .Values.resources.clamd | toYaml | nindent 4 }}
--- a/helmfile/apps/services/values-istio-gateway.yaml
+++ b/helmfile/apps/services/values-istio-gateway.yaml
@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+tls:
+  httpsRedirect: false
+...
--- a/helmfile/apps/services/values-mariadb.gotmpl
+++ b/helmfile/apps/services/values-mariadb.gotmpl
@@ -11,6 +11,7 @@ global:
 image:
  repository: "{{ .Values.images.mariadb.repository }}"
  tag: "{{ .Values.images.mariadb.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"

 # Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
 # Please refer to `databases.yaml` for details.
--- a/helmfile/apps/services/values-postfix.gotmpl
+++ b/helmfile/apps/services/values-postfix.gotmpl
@@ -12,6 +12,7 @@ image:
  registry: {{ .Values.global.imageRegistry }}
  repository: "{{ .Values.images.postfix.repository }}"
  tag: "{{ .Values.images.postfix.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"

 certificate:
  secretName: "{{ .Values.ingress.tls.secretName }}"
--- a/helmfile/apps/services/values-postgresql.gotmpl
+++ b/helmfile/apps/services/values-postgresql.gotmpl
@@ -11,6 +11,7 @@ global:
 image:
  repository: "{{ .Values.images.postgresql.repository }}"
  tag: "{{ .Values.images.postgresql.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"

 job:
  users:
--- a/helmfile/apps/services/values-redis.gotmpl
+++ b/helmfile/apps/services/values-redis.gotmpl
@@ -16,6 +16,7 @@ image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.redis.repository }}"
  tag: "{{ .Values.images.redis.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"

 master:
  persistence:
--- a/helmfile/apps/univention-corporate-container/values.gotmpl
+++ b/helmfile/apps/univention-corporate-container/values.gotmpl
@@ -13,7 +13,7 @@ global:

 image:
  registry: "{{ .Values.global.imageRegistry }}"
-  imagePullPolicy: "Always"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  repository: "{{ .Values.images.univentionCorporateServer.repository }}"
  tag: "{{ .Values.images.univentionCorporateServer.tag }}"

--- a/helmfile/apps/xwiki/values.gotmpl
+++ b/helmfile/apps/xwiki/values.gotmpl
@@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
  name: "{{ .Values.global.imageRegistry }}/{{ .Values.images.xwiki.repository }}"
  tag: "{{ .Values.images.xwiki.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"

 externalDB:
  password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword }}"
--- a/helmfile/environments/default/global.yaml
+++ b/helmfile/environments/default/global.yaml
@@ -39,4 +39,8 @@ global:
  imagePullSecrets:
    - "external-registry"

+  ## Define the policy to pull container images.
+  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+  #
+  imagePullPolicy: "IfNotPresent"
 ...
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -21,22 +21,22 @@ images:
    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
  jibri:
    repository: "jitsi/jibri"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:87aa176b44b745b13769f13b8e2d22ddd6f6ba624244d5354c8dd3664787e936"
  jicofo:
    repository: "jitsi/jicofo"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:820fcd4b072b29f42c1c37389fbefda1065f1e9654694941485dc08123c8a93b"
  jitsi:
    repository: "jitsi/web"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:24bd4179998fe01ace1be74e53fea5308f4d91722953bb4334611e6886753f46"
  jitsiKeycloakAdapter:
    repository: "nordeck/jitsi-keycloak-adapter"
-    tag: "v20230816"
+    tag: "v20230906@sha256:54d45ee1a1205f98641810ffb171bd92e6478e2957a349ee4ff599359239fbf2"
  jitsiPatchJVB:
    repository: "bitnami/kubectl"
-    tag: "1.26.6"
+    tag: "1.26.8@sha256:c6902a1fdce0a24c9f93ac8d1f317039b206a4b307d8fc76cab4a92911345757"
  jvb:
    repository: "jitsi/jvb"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:75dd613807e19cbbd440d071b60609fa9e4ee50a1396b14deb0ed779d882a554"
  icap:
    repository: "souvap/tooling/images/c-icap"
    tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
@@ -109,7 +109,7 @@ images:
    tag: "15-alpine"
  prosody:
    repository: "jitsi/prosody"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:243547f24ae7d686d1f0c18ee230cf93119a66f095dda282bacbf45d4bb69f77"
  redis:
    repository: "bitnami/redis"
    tag: "7.0.12-debian-11-r0"
Author	SHA1	Message	Date
Thorsten Roßner	6d23534ee0	chore(release): 0.3.0 [skip ci] # [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12) ### Features * ci: Selective tests ([`d2e7ac9`](`d2e7ac9348`))	2023-09-12 21:18:26 +00:00
Tobias Heinzmann	d2e7ac9348	feat(ci): Selective tests	2023-09-12 21:16:33 +00:00
Thorsten Roßner	2125037a3c	chore(release): 0.2.10 [skip ci] ## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06) ### Bug Fixes * helmfile: Add imagePullPolicy default env variable ([`f988644`](`f9886448b6`)) * helmfile: Update images and add jitsi, keycloak to security section in docs ([`0eceb85`](`0eceb85e7d`)) * jitsi: Update chart to 1.4.2 with improved security and fixed change on each deployment ([`1349181`](`1349181d80`)) * jitsi: Update jitsi to 1.5.1 and fix prosody image ([`ed7e5e4`](`ed7e5e428e`)) * keycloak: Improve default security settings ([`3b90533`](`3b90533063`)) * nextcloud: Fix yamllint disable comment ([`4380e78`](`4380e78981`)) * services: Disable https redirect in istio to fix cert-manager issues ([`1ef4a86`](`1ef4a861ac`)) * services: Fix capabilities of postifix ([`a6fa846`](`a6fa846afc`)) * services: Fix OCI registry address of postgresql, mariadb ([`be82243`](`be82243966`))	2023-09-06 17:12:09 +00:00
Dominik Kaminski	ed7e5e428e	fix(jitsi): Update jitsi to 1.5.1 and fix prosody image	2023-09-06 19:09:59 +02:00
Dominik Kaminski	d28a425673	chore(release): 0.2.10 [skip ci] ## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06) ### Bug Fixes * helmfile: Add imagePullPolicy default env variable ([`f988644`](`f9886448b6`)) * helmfile: Update images and add jitsi, keycloak to security section in docs ([`0eceb85`](`0eceb85e7d`)) * jitsi: Update chart to 1.4.2 with improved security and fixed change on each deployment ([`1349181`](`1349181d80`)) * keycloak: Improve default security settings ([`3b90533`](`3b90533063`)) * nextcloud: Fix yamllint disable comment ([`4380e78`](`4380e78981`)) * services: Disable https redirect in istio to fix cert-manager issues ([`1ef4a86`](`1ef4a861ac`)) * services: Fix capabilities of postifix ([`a6fa846`](`a6fa846afc`)) * services: Fix OCI registry address of postgresql, mariadb ([`be82243`](`be82243966`))	2023-09-06 07:53:01 +00:00
Dominik Kaminski	a6fa846afc	fix(services): Fix capabilities of postifix	2023-09-05 21:50:31 +02:00
Dominik Kaminski	4380e78981	fix(nextcloud): Fix yamllint disable comment	2023-09-05 20:31:32 +02:00
Dominik Kaminski	be82243966	fix(services): Fix OCI registry address of postgresql, mariadb	2023-09-05 20:15:03 +02:00
Dominik Kaminski	f9886448b6	fix(helmfile): Add imagePullPolicy default env variable	2023-09-05 19:59:18 +02:00
Dominik Kaminski	0eceb85e7d	fix(helmfile): Update images and add jitsi, keycloak to security section in docs	2023-09-05 18:49:09 +02:00
Dominik Kaminski	1ef4a861ac	fix(services): Disable https redirect in istio to fix cert-manager issues	2023-09-05 18:48:18 +02:00
Dominik Kaminski	3b90533063	fix(keycloak): Improve default security settings	2023-09-05 18:47:28 +02:00
Dominik Kaminski	1349181d80	fix(jitsi): Update chart to 1.4.2 with improved security and fixed change on each deployment	2023-09-05 18:47:04 +02:00